Language selection

OPC Logo Office of the Privacy Commissioner of Canada

Search

Retailer shares customer’s in-store behaviour with the customer’s employer

PIPEDA Case Summary #2016-004

January 9, 2016

Complaint

A customer of a retail store complained that a store employee disclosed his personal information to his employer. The information consisted of the customer’s name and details regarding his behaviour as well as certain statements he made while interacting with store staff.

Summary of Investigation

The customer had concerns with several of the store’s practices, including its customer service, store management and security measures, and he raised them with store staff. According to the store, the customer communicated his concerns in an aggressive and intimidating manner and, in doing so, also identified his employer. A corporate representative of the store called a contact at the customer’s employer and reported the customer’s name, in-store behaviour and statements. The representative indicated he did so out of concern for store staff and for the purpose of understanding whether the complainant’s behaviour was consistent with ethical standards in the industry in which the customer stated he worked. The contact then shared the information provided by the representative with the customer’s manager who in turn informed the customer of the disclosure.

Upset that this information had been reported to people at his workplace, the customer followed up by making a complaint to the store’s privacy office, which issued a letter of apology. As the customer remained dissatisfied, he filed a complaint with our Office, alleging that the store had disclosed his personal information without his knowledge or consent.

Outcome

During the course of our investigation, the store presented two main arguments in defence of the alleged disclosure. These are discussed below.

Personal information

Firstly, the store asserted that the information it had shared with the employer was not personal information because the customer had made the information publicly known when raising his concerns in a public store within earshot of other customers.

Our Office noted that PIPEDA defines personal information as “information about an identifiable individual”. PIPEDA does not exclude personal information simply because it may have been overheard by others.

Consent for disclosure

Secondly, while confirming it did not make the disclosure with the complainant’s knowledge and express consent, the store claimed that it could rely on the customer’s implied consent to disclose his information in this case. In particular, the store asserted that the very information the complainant alleged had been inappropriately disclosed by the organization had also been shared by the complainant himself in view and within earshot of other customers.

Our Office did not find support for implied consent in the circumstances. As noted in Principle 4.3.6, implied consent may be appropriate where personal information is less sensitive. We considered the customer’s personal information disclosed in the context of this case to be sensitive since it was shared with others at his workplace, and thus had the potential to negatively affect his employment.

In addition, Principle 4.3.5 states that in obtaining consent, the reasonable expectations of the individual are relevant. In this respect, we found it difficult to understand how a person would reasonably expect that statements they directed at store employees and behaviour they exhibited in the context of raising complaints with the store would be shared with a third party contact at that person’s workplace, who was uninvolved in the events and could, in turn, disclose the information to further colleagues.

We also noted that while PIPEDA does allow for exceptions to consent for disclosures of certain publicly available personal information, this information must be specified in the Regulations Specifying Publicly Available Information. The information disclosed by the store in this case did not constitute publicly available personal information specified in the Regulations. Thus, this exception to consent was not available in this case.

Accordingly, we found that the store had contravened Principle 4.3 by disclosing the complainant’s personal information without his knowledge or consent.

We considered the matter well-founded and resolved after the store confirmed that it had implemented our recommendations ─ which consisted of formally communicating the store’s PIPEDA obligations to the store representative who disclosed the information and all members of its senior management team.

Date modified: